<html>
<head>
    <title>Live View 0.4 FAQ</title>
</head>

<body>
        <h1><font face="Arial">Live View FAQ</font></h1>

		<i>
        	<a href="mailto:bfkaplan@andrew.cmu.edu">bfkaplan@andrew.cmu.edu</a><br/>
        	August 2006<br/>
        	Version 0.4
		</i>


        <p><b><font face="Arial">What is Live View?</font></b></p>

        <p>
        <ul>
        <li>
        Live View is a tool that allows disk images or physical drives to be booted
        up in a virtual machine and examined in a forensically sound manner.
 		</ul>
        </li>
        </p>


        <p><b><font face="Arial">Won&#8217;t Booting The Image Destroy Evidence?</font></b></p>

        <p>
        <ul>
        <li>
        No, Live View redirects all changes to a scratch file
        leaving the original image untouched. Live View works just fine on 
        images set as read-only and will even alert the user if the image they 
        are booting is not set as such. One can also run a cryptographic checksum
        on the image before and after booting with Live View to
        verify the integrity of the evidence.
        </li>
        </ul>
        </p>

        <p><b><font face="Arial">How Do I Run Live View?</font></b></p>

        <p>
        <ul>
        <li>
        First install Live View by double clicking the installer. It will check your system for all of the
        requirements and install them as necessary. When the installation completes, you should be able to 
        simply double click the Live View icon on your desktop to start the program.
        </p>
        </ul>
        </li>

        <p><b><font face="Arial">What Image Formats Does Live View Handle?</font></b></p>

        <p>
        <ul>
        <li>
        Live handles exact bit for bit images of disks such
        as those created with 'dd'. Other image formats can often be
        converted to standard bit for bit images. For example, the
        free FTK Imager <a href="http://www.accessdata.com/ftkuser/imager.htm">http://www.accessdata.com/ftkuser/imager.htm</a>
        can convert Encase images into a standard DD image for use
        with Live View. Live View is also capable of booting physical disks (not images) attached
        to the computer with a USB or Firewire bridge. The bridge can, of course, also function as a writeblocker
        for an added layer of protection against modifying the disk. 
		</ul>
		</li>
        </p>

        <p><b><font face="Arial">What Types of Imaged Systems Can Be Booted?</font></b></p>

        <ul>
            <li>Windows XP</li>

            <li>Windows 2000</li>

            <li>Windows Server 2003</li>

            <li>Windows NT (Partial Support)</li>
            
            <li>Windows Me</li>
                        
            <li>Windows 98</li>
            
            <li>Linux (Partial Support)</li>
            
        </ul>

        <p>
        <ul>
        <li>
        While the above has been verified, we have both a
        limited set of hardware and system images with which to
        test Live View. We would love receive your feedback on what
        types of images have worked, failed, and what types you
        would like to see supported in the future.
        </ul>
        </li>
        </p>

        <p><b><font face="Arial">What if I Only Have an Image of the Bootable Partition and Not the Entire Disk?</font></b></p>

        <p>
        <ul>
        <li>
        No problem, Live View will automatically detect this and
        build a Master Boot Record for your partition allowing it
        to boot.
        </ul>
        </li>
		</p>

        <p><b><font face="Arial">Does Live View Handle Split Images?</font></b></p>

        <p>
        <ul>
        <li>
		Yes, simply select all of the chunks in the browse dialog by using Ctrl + Click. Live View sorts the chunks
		by their file extensions so be sure that the chunks have either numerically or alphabetically ordered file extensions.
        </ul>
        </li>
        </p>

        <p><b><font face="Arial">Does Live View Support Dual Boot Images?</font></b></p>

        <p>
        <ul>
        <li>
        Yes, There is full support for the primary Operating
        System on the machine and partial support for the Secondary
        Operating System. If you need to boot the secondary OS,
        simply choose the primary OS in the Live View dropdown menu
        and wait for the OS selection screen to come up while the
        system is booting. From there, select to boot the secondary
        OS. In some cases, you may experience a blue screen error
        which will be fixed once full Dual Boot support is
        implemented.
        </p>
        </ul>
        </li>

        <p><b><font face="Arial">What Do I Need To Run Live View?</font></b></p>

        <ul>
            <li>VMware Server Full Install (<a href="http://www.vmware.com/download/server/">Free Download</a>) or VMware Workstation 5.5 (<a href="http://www.vmware.com/download/ws/">30 Day Trial</a>)</li>

            <li>Java Runtime Environment (<a href="http://www.java.com/getjava/">http://www.java.com/getjava/</a>)</li>

			<li>VMware Disk Mount Utility (<a href="http://www.vmware.com/download/eula/diskmount_ws_v55.html">http://www.vmware.com/download/eula/diskmount_ws_v55.html</a>)</li>

            <li>A Microsoft Windows Machine (XP, 2000, or 2003)</li>

            <li>Some Bit-for-Bit Disk Images</li>
        </ul>

        <p><b><font face="Arial">How Do I Make The Virtual Machine Feel Less Sluggish?</font></b></p>

        <p>
        <ul>
        <li>
        Virtual Machines are inherently slower than their hardware counterparts. You can, however, make them feel more
        responsive by installing VMware Tools. To do so, wait until the Virtual Machine boots and then from the VMware
        Menu select VM->Install VMware Tools. This will require a reboot of the VM.
        </p>
        </ul>
        </li>
        
        <p><b><font face="Arial">Why Can't I Access The Internet From The Virtual Machine?</font></b></p>

        <p>
        <ul>
        <li>
		The virtual Ethernet device is purposely disabled to prevent any malware on the virtual machine
		from automatically spreading or communicating with external hosts once the image has booted. 
        </p>
        </ul>
        </li>
        
        <p><b><font face="Arial">How Can I Transfer Files To And From The Virtual Machine Without Internet Access?</font></b></p>

        <p>
        <ul>
        <li>
        One way to transfer files between the Virtual Machine and host computer is to install VMware Tools. To do so, 
        wait until the Virtual Machine boots. On the VMware menu, click VM->Install VMware Tools. Follow the installation
        wizard to completion. When the installation finishes, you will be required to reboot the Virtual Machine. For quick 
        one time copies, a USB storage device is probably the most convenient option. Insert the device while the Virtual Machine has
        the focus and on the VMware menu, click VM->Removable Devices->USB Devices and select your USB device. You should also be able
        to read and transfer files from the CD Drive inside the virtual machine. 
        </p>
        </ul>
        </li>
        
        <p><b><font face="Arial">Why Am I Being Asked To Install Drivers for New Hardware?</font></b></p>

        <p>
        <ul>
        <li>
        Operating Systems typically install drivers for the specific set of hardware on which the OS was originally installed. Similar to taking the 
        disk out of one system and booting it up inside a system with different hardware, a virtual machine's emulated hardware will not often match the hardware on which the system was
        originally installed. For this reason, the OS will often attempt to install the missing drivers for that new hardware. If you are prompted for
        an install CD you may be able to simply hit cancel and continue booting. 
        </ul>
        </li>
        </p>
        
        <p><b><font face="Arial">Why Am I Being Asked To Activate The Suspect's OS?</font></b></p>

        <p>
        <ul>
        <li>
		Windows activation is often triggered by "significant" hardware changes in the machine. Weights are assigned to various pieces of hardware
		and thresholds are set for things like RAM size to determine what is considered a change worthy of requiring reactivation. 
		When booting the suspect's image, Windows may detect VMware's emulated hardware (or lack thereof in the case of the NIC) as a significant hardware 
		change and may require reactivation to log in. For most systems you will be given a grace period which can subsequently be reset an infinite number
		of times by re-launching the machine "from scratch." Some systems (such as XP without any service packs) may provide no grace period in which case
		the only option (currently) is to activate the machine using Microsoft's automated activation system by phone. Also, by setting the input parameters for 
		Live View (such as RAM size) to match the suspects hardware as closely as possible, you may decrease the probability of triggering the Windows activation process. 
        </ul>
        </li>
        </p>

        <p><b><font face="Arial">How Do I Remove All My Changes And Start From Scratch Again?</font></b></p>

		<p>
		<ul>
		<li>
		If you are working on a system and decide you would like to revert back to the original, click the red stop button in the VMware 
		window and close VMware. Go back to Live View and enter in the new options you would like to use and hit the start button. When prompted 
		to continue where you left off or start over, simply select start over and the original image will boot back up without all of the changes that
		you made while working with it previously. 
		</p>
		</ul>
        </li>


        <p><b><font face="Arial">I Have a Feature Request, Who Do I Contact?</font></b></p>

        <p>
        <ul>
        <li>
        We would love to hear your feedback on what is useful,
        what needs to improve, and what you would like to see in
        future releases of Live View. Email your requests and comments
        to <a href="mailto:bfkaplan@andrew.cmu.edu?subject=Live%20View%20Feature%20Request">
        bfkaplan@andrew.cmu.edu</a>
        </p>
        </ul>
        </li>

<p/>
<p/>

</body>
</html>
